[EMAIL PROTECTED] wrote:
I added these rules in /etc/shorewall/rules to drop all packages from the internal network.DROP loc:192.168.2.0/24 net ipp2p:all DROP net loc:192.168.2.0/24 ipp2p:all Are they enough to drop the packages from this network (because i want to drop them, without marking)? Or i need to set them by different way to get effective control under packets that are going thru the server?
Those rules will do nothing if you put them in the NEW section of the rules file. And if you put them in the ESTABLISHED section, they will eat a great number of CPU cycles. If you extend them to mark connections in an attempt to save CPU cycles, then you run the significant risk of running out of conntrack entries because the marked connections cannot be shut down properly.
That is why we recommend that you try to control P2P bandwidth utilization rather than try to stop it outright. And if you really want to try to stop it, you have to proxy EVERY CONNECTION from your local net and use the proxy to do the filtering.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
